From f5727cd31283aa478f7f9396c6eb7b5aceebb869 Mon Sep 17 00:00:00 2001 From: Xiubo Li Date: Wed, 30 Apr 2014 17:31:08 +0800 Subject: [PATCH 1/3] regmap: Fix possible ZERO_SIZE_PTR pointer dereferencing error. Since we cannot make sure the 'len = pair_size * num_regs' will always be none zero from the users, and then if 'num_regs' equals to zero by mistake or other reasons, the kzalloc() will return ZERO_SIZE_PTR, which equals to ((void *)16). So this patch fix this with just doing the 'len' zero check before calling kzalloc(). Signed-off-by: Xiubo Li Signed-off-by: Mark Brown --- drivers/base/regmap/regmap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c index 63e30ef096e2..9596f3048939 100644 --- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -1615,6 +1615,9 @@ static int _regmap_raw_multi_reg_write(struct regmap *map, size_t pair_size = reg_bytes + pad_bytes + val_bytes; size_t len = pair_size * num_regs; + if (!len) + return -EINVAL; + buf = kzalloc(len, GFP_KERNEL); if (!buf) return -ENOMEM; From b48d13988bee440e43a510ea8878f1f329cee189 Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Tue, 22 Apr 2014 12:47:29 +0200 Subject: [PATCH 2/3] regmap: Add missing initialization of this_page MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit drivers/base/regmap/regmap.c: In function ‘_regmap_range_multi_paged_reg_write’: drivers/base/regmap/regmap.c:1665: warning: ‘this_page’ may be used uninitialized in this function Signed-off-by: Geert Uytterhoeven Signed-off-by: Mark Brown --- drivers/base/regmap/regmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c index 9596f3048939..35869755d464 100644 --- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -1665,7 +1665,7 @@ static int _regmap_range_multi_paged_reg_write(struct regmap *map, int ret; int i, n; struct reg_default *base; - unsigned int this_page; + unsigned int this_page = 0; /* * the set of registers are not neccessarily in order, but * since the order of write must be preserved this algorithm From 2e804b7c72d4efd2318428a2c1e40fd0e173c487 Mon Sep 17 00:00:00 2001 From: Philipp Zabel Date: Fri, 16 May 2014 16:25:34 +0200 Subject: [PATCH 3/3] regmap: mmio: Fix regmap_mmio_write for uneven counts Commit 932580409a9dacbf42215fa737bf06ae2c0aa624 "regmap: mmio: Add support for 1/2/8 bytes wide register address." broke regmap_mmio_write for uneven counts, for example 32-bit register addresses with no padding and 8-byte values (count = 5). Fix this by allowing all counts large enough to include some value. This check was BUG_ON(count < 4) before the last change. Signed-off-by: Philipp Zabel Signed-off-by: Mark Brown --- drivers/base/regmap/regmap-mmio.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/base/regmap/regmap-mmio.c b/drivers/base/regmap/regmap-mmio.c index 1e03e7f8bacb..902c4fb5c760 100644 --- a/drivers/base/regmap/regmap-mmio.c +++ b/drivers/base/regmap/regmap-mmio.c @@ -61,9 +61,9 @@ static int regmap_mmio_regbits_check(size_t reg_bits) } } -static inline void regmap_mmio_count_check(size_t count) +static inline void regmap_mmio_count_check(size_t count, u32 offset) { - BUG_ON(count % 2 != 0); + BUG_ON(count <= offset); } static int regmap_mmio_gather_write(void *context, @@ -120,7 +120,7 @@ static int regmap_mmio_write(void *context, const void *data, size_t count) struct regmap_mmio_context *ctx = context; u32 offset = ctx->reg_bytes + ctx->pad_bytes; - regmap_mmio_count_check(count); + regmap_mmio_count_check(count, offset); return regmap_mmio_gather_write(context, data, ctx->reg_bytes, data + offset, count - offset);